introduction to computer networks sander klous 01 11 010 001 1101 1110 11001 01011 110110 001101...
TRANSCRIPT
Introduction tocomputer networks
Introduction tocomputer networks
Sander Klous
011101000111011110110010101111011000110111111110111000111010100100111011011100100010110111110100010101111100
111101001111010110000101
H
t
W
Z0
Topical lecturesJune 2007
Acknowledgements:• Cees de Laat• Jan Just Keijser• Oscar Koeroo
Reference:• Cisco systems – CCNA ISBN: 1-58720-095-3
2
Course overviewCourse overview
• Introduction
- ARPA net
- How the web was born
- Standard bodies
• Hardware
- Hubs and Switches
- Collision detection
- OSI Layers
• Topology
- Ethernet (LAN)
- Error discovery
- Wide Area Networks
• Routing
- IP networks
- Address resolution
- Routing protocols
- VLANs
• Protocols
- TCP and UDP
- Sockets and NAT
• Network Security
- Firewalls (briefly)
- (A)symmetric cryptography
- Public Key Infrastructure
3
ARPA net 1969ARPA net 1969
• Defense Advanced Research Projects Agency (DARPA)
- Military part (MILNET)
- Research part (ARPANET)
• First two IMPs (Interface Message Processors):
- UCLA (August 30, 1969)
- Stanford Research Institute (October 1, 1969)
• Decommissioned in 1989
4
ARPA net 1977ARPA net 1977
5
Original proposal of the
WWW
Original proposal of the
WWW• Gopher (University of Minnesota)
• Tim Berners-Lee
- Enquire (HyperText)
- TCP/IP
- DNS
- Uniform Resource Locator (URL)
• Mike Sendall
• Newsgroup announcement:
6 August 1991, 22:37
http://groups.google.com/group/alt.hypertext/msg/395f282a67a1916c
6
Google hits, August 14 2003Google hits, August 14 2003
• 1.1 Billion internet users in 2007 (± 17% of the world, ± 50% in US and EU)
http://www.internetworldstats.com/stats.htm
• 11.5 Billion web pages (2005)
7
Standard bodiesStandard bodies
• Institute of Electrical and Electronics Engineers (IEEE)
- Advancement of technology related to electricity
- IEEE 802.X Ethernet standards
• Internet Engineering Task Force (IETF)
- Rob Blokzijl ISOC member
- Develops and promotes internet standards
Requests for Comments (RFCs)
- In close cooperation with W3C
• World Wide Web Consortium (W3C)
- Founded by Tim Berners-Lee, director
- International standards organization for WWW
8
Internet overviewInternet overview
9
Simple networkSimple network
10
Simple network internalsSimple network internals
11
Collision detectionCollision detection
CSMA:Carrier Sense Multiple Access
12
Switched networksSwitched networks
• Occupancy < 30%
• Switched Networks
- Half duplex
- 100%
• New network cards
- Full duplex
- 2 x 100%
13
OSI LayersOSI Layers
14
OSI Layer 2: EthernetOSI Layer 2: Ethernet
• DIX: DEC, Intel and Xerox
• MAC: Media Access Control = number of your Ethernet card
• FCS: Frame Check Sequence – See CRC
• DSAP: Destination Service Access Point
• SNAP: Sub network Access Protocol
15
Ethernet Frame SpecificationEthernet Frame Specification
• Note: error discovery error recovery
• Maximum Frame Length = 1500 (see MTU specs)
16
Check sum – bidirectional parityCheck sum – bidirectional parity
• Works well for single bit errors
17
• Polynomial division
• Based on Galois Field Theory, GF(2)
- Coefficients either 0 or 1
- Division results in Exclusive OR
Cyclic Redundancy CheckCyclic Redundancy Check
Partially from TanenbaumComputer NetworksISBN 0-13-038488-7
Quotient
Divisor
Remainder
18
Wide Area NetworksWide Area Networks
Router:
Connecting different OSI layer 2 protocols
PPP: Point to Point Protocol
19
WAN InternalsWAN Internals
• Channel Service Unit (CSU)
• Customer Premises Equipment (CPE)
• High Level Data Link Control (HDLC)
• Asynchronous Transfer Mode (ATM)
20
Maximum Transmission Unit (MTU)Maximum Transmission Unit (MTU)
• Fragmentation, equal sized packages
• Jumbo frames Configuration challenge
- Avoid fragmentation and reassembly
- Avoid too much overhead
21
Multiple links: Frame RelayMultiple links: Frame Relay
• Frame Relay Protocols
• Telecom Operator Agreements
• See also Border Gateway Protocol (BGP)
22
OSI Layer 3: NetworkingOSI Layer 3: Networking
• Internet Protocol (IP) numbers
• In Europe, policies are managed by RIPE
Originally (1997) from a NIKHEF office, now at Singel 258
• Three classes of networks
23
IP networkIP network
150.1.0.1
150.1.0.2
150.2.0.1
150.2.0.2
150.3.0.1
150.4.0.2150.4.0.1
6 Class B networks
24
SubnetsSubnets
• Split host identification in two parts:
- Subnet
- Host ID
• Splitting at bit level
Nr of bits available:
25
IP network with subnetsIP network with subnets
150.150.1.1
150.150.1.2
1 Class B network
150.150.4.2150.150.4.1150.150.3.1
150.150.2.1
150.150.2.2
26
Subnet calculationSubnet calculation
Number of masked bits (network + subnet)
27
Boolean subnet calculationsBoolean subnet calculations
Note, suppose your host definition is:
• 199.1.1.100/27
• Subnet mask: 255.255.255.224
• Number of subnets: 23 – 2 = 6
• Number of hosts per subnet: 25 – 2 = 30
• Subnet addresses start at:
0, 32, 64, 96, 128, 160, 192, 224
• Your subnet range is:
97 – 126
96 and 127 are reserved addressesPrivate network ranges
28
Address Resolution Protocol (ARP)Address Resolution Protocol (ARP)
• Ethernet does not use IP numbers
• Ethernet needs the MAC address
• Address Resolution Protocol ties them together
29
Ethernet route discoveryEthernet route discovery
• Building Address Tables
30
Switch routingSwitch routing
31
Redundant linksRedundant links
• Avoid loops at all costs
- Additional hops
• Spanning Tree Protocol (STP)
32
ReroutingRerouting
33
Spanning Tree Protocol rulesSpanning Tree Protocol rules
1. Decide which switch is the root switch
- Based on priority (set manually)
- Based on switch MAC address
2. All ports of root switch are open
3. All ports with shortest route to root switch are open
4. In case an existing route fails: rerun procedure
- Convergence takes about 50 seconds
• Improved version: (Rapid Spanning Tree Protocol)
34
WAN Routing: Border Gateway Protocol (BGP)WAN Routing: Border Gateway Protocol (BGP)
• Based on Telecom Operator policies
• Each operator has an autonomous system (AS)
• Avoid loops at all costs (based on AS number)
• Note that routers work at OSI Layer 3 – IP numbers
35
Link state protocol (WAN spanning tree)Link state protocol (WAN spanning tree)
• Distance Vector Protocols
• Shortest Path First
• AKA
Dijkstra’s Algorithm
- Weighted links (Euros)
• Build routing table
- Closest first
- Who is your neighbor?
• List of all routes
- In all routers
Vertex
36
Dijkstra’s algorithmDijkstra’s algorithm
Graph (V), where V is a set of vertices (vi)
1. The length of a path from any vertex vk to a vertex v0 is l (vk)
- So l (v0) = 0, initialize all other lengths l (vk) to
2. Start from a vertex vj (j=0) and consider all unlabeled neighbors (yi)
3. Replace l (yi) with min{ l (yi), l (vj) + w( {vj, yi} ) }
1. Where w( {vj, yi} ) is the weight of the link between vj and yi
4. Choose the smallest value from all yi and label it vj+1
5. Include the route from v to v1 as shortest path
6. Add all unlabeled neighbors from vj+1 to the set (yi)
7. Increase counter, j=j+1 and repeat procedure from step 4
8. Algorithm is completed when all vertices are included
37
SPF Scalability – Topology SummarizationSPF Scalability – Topology Summarization
• Divide network in areas
• Router 3 is an intersection
• Topology summarization
38
SPF Scalability – Route SummarizationSPF Scalability – Route Summarization
• Classless inter domain routing (CIDR)
• Aggregate routes at ISP level
• Example below: all 198.* class C networks are ISP 1
Routing Information Protocol – RIP (hop counting)Open Shortest Path First – OSPFIGRP – Interior Gateway Routing Protocol (Cisco)EIGRP – Enhanced IGRP (Cisco)
39
Route poisoningRoute poisoning
• In SPF, routers publish information about best route
• What happens if a route fails?
- Remove it from the table
- But…
How to update other routers?
Route poisoning
Route poisoning
40
Horizon splittingHorizon splitting
• Counting to infinity
Horizon splitting
41
Virtual LAN introductionVirtual LAN introduction
• A VLAN is essentially a broadcast domain.
• Two machines on different VLANs require a layer 3 device for communication (i.e. a router).
• Two machines on the same VLAN require a layer 2 device for communication (i.e. a switch).
42
VLAN in real lifeVLAN in real life
• NIKHEF: normal network and guest network (security)
- VLANs are often combined with subnet masks
• ATLAS trigger: redundancy, VLANs and MSTP Jos
43
Fine grained security at layer 3Fine grained security at layer 3
• Access control lists (ACLs)
44
OSI Layer 4: Transport ProtocolsOSI Layer 4: Transport Protocols
• Transmission Control Protocol (TCP)
• Routing based on Internet Protocol (IP)}TCP/IP
45
TCP/IP basicsTCP/IP basics
• Mixing transfer and network layer
• Packages contain source and destination IP address
• Send request and provide reply address
• Most features are symmetric
46
Source Port Destination Port
Sequence Number
Acknowledgement Number
Length
Reserved
Code bits
Window
Checksum Urgent
Options
Data
Working with acknowledgements
Working with acknowledgements
47
Working with sessionsWorking with sessions
• Initialize TCP session
- With arbitrary sequence number
- Sessions are synchronized in two directions
• Connection is established, sequence synchronized
- From that moment, sequence = total nr of bytes sent + offset
48
Acknowledgements in detailAcknowledgements in detail
• Agreement to confirm reception after X bytes.
- X bytes is called the window (size)
- In the example below: X = 3000
49
Error recoveryError recovery
• Re-transmission on “No Data” Acknowledgement
• Timeout trigger re-transmission
• Package reordering
50
Sliding windows, congestion controlSliding windows, congestion control
• Successful transfer
- Window size increases
- Reduce latency effects
• Failed transfer
- Window size reduces
• Window size updates are asynchronous
Win
dow
siz
e
Time
Slow start
51
Socket conceptSocket concept
• Multiplexing on different ports
52
Network Address Translation (NAT)Network Address Translation (NAT)
• Provide internet access to private networks
• Changing IP number and port number
53
User Datagram Protocol (UDP)User Datagram Protocol (UDP)
• UDP for real-time applications
Source Port
Destination Port
Length ChecksumUDP Header:
54
Well known applicationsWell known applications
• Running in parallel on different ports
• A socket consists of: (IP number, protocol, port)
55
Security at layer 4+Security at layer 4+
• Firewalls
- Expensive, inspection at layer 4+ requires a lot of resources
• Protection against internet worms
- Worms spread through vulnerabilities in applications
• Protection against Denial Of Service attacks
- Many requests to the same application make it unresponsive
• Distributed Denial Of Service attacks
- Attack the application from many different machines
- Avoids blocking the attack based on IP address
56
Firewall typesFirewall types
• First generation
- Packet inspection
- Check IP address and port number and filter
• Second generation
- State full firewall (i.e. state aware)
- Distinguishes between existing and new connections
• Third generation
- Proxy based firewalls
- Application aware
- Inspects traffic on application specific features
57
CryptographyCryptography
• Cryptography: Dk ( Ek (P) ) = P
- D = Decryption algorithm, E = Encryption algorithm and k = key
- P = Plain text
• Kerckhoff’s principle:
- All algorithms should be public, only keys are secret
• Symmetric (Asymmetric) key algorithms:
- Same (Different) key is used for encryption and decryption
• Examples of symmetric key algorithms
(based on substitutions and permutations):
- (Triple) DES = Data Encryption Standard
- AES = Advanced Encryption Standard
From TanenbaumComputer NetworksISBN 0-13-038488-7
58
AES algorithm introductionAES algorithm introduction
S box(16 x 16) lookup
Shift rows with increased steps
Multiply with a polynomial Combine with secret key
12
3 4
59
Asymmetric key algorithmsAsymmetric key algorithms
• Weak point in AES: distribution of the key
- If the key is known, Dk and Ek are known
• Solution: use different keys for Encryption/Decryption
- Still: Dk2 (Ek1 (P) ) = P
• Make Ek1 publicly available
- It should be very difficult to deduce Dk2 from Ek1
• Additional complication
- Part of the information is out in the open (k1)
• Examples of asymmetric key algorithms:
- DSA = Digital Signature Algorithm
- RSA = Rivest, Shamir and Adleman (MIT)
60
RSA overviewRSA overview
• Choose two large prime numbers (1024 bits or more)
• Compute n = p x q and z = (p - 1) x (q - 1)
• Find a number d smaller than z
- Where d and z should not have a common factor
• Find a number e
- Where e x d = 1 mod z
i.e. 1 + (k x z)
• You need (e, n) to encrypt and (p, n) to decrypt
- See example on next page
• It is extremely difficult to find p and q from n (factorization)
61
Toy example RSA encryptionToy example RSA encryption
• For p = 3, q = 11, n = 3 x 11 = 33, z = 2 x 10 = 20
• Choose d = 7 (20 and 7 do not have common factors)
• Solve 7 x e = 1 mod 20, so e = 3
• Note: asynchronous cryptography is slow, due to large key sizes
62
Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)
63
Public Key Infrastructure (Identification)Public Key Infrastructure (Identification)
• Grid mechanisms
• X.509 Certificates
- Definitions
- Procedures
- Based on RSA
64
Transport Layer Security (TLS)Transport Layer Security (TLS)
State of the art in secure connections
1. Client contacts server, server sends its certificate
2. Client checks digital signature of the CA
3. Client checks server certificate
• Protection against man in the middle attacks
4. Client proposes encryption method
5. Switch to symmetric encryption (e.g. AES)
6. All kinds of additional measures
65
Advanced topics, not coveredAdvanced topics, not covered
• Network layer security
- PAP, CHAP
• IPv6 and IPSec
- Successor of IPv4, 128 bit = 5 x 10128 addresses
- Backward compatible
• Optical networks (lambdas)
- Dense Wave Length Division Multiplexing (DWDM)
- Optical Private Networks (OPNs)
- Switching optical networks (ONS boxes)
66
Advanced topics, not covered - continuedAdvanced topics, not covered - continued
• Application layer
- DNS, P2P, VPN
- Email, HyperText
• Distributed File Systems
- AFS, NFS, etc.
• Unicast versus Multicast
- Time To Live (TTL)
• Grid
67Cees de Laat